On Tue, 2017-04-04 at 23:39 +0200, Niels Möller wrote: > > "These variants > > take advantage of a randomly choosen salt value, which could > > enhance the > > security by causing output to be different for equivalent inputs. > > > > However, assuming the same security level as inverting the > > @acronym{RSA} > > algorithm, a longer salt value does not always mean a better > > security > > @uref{http://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf} > > . > > The typical choices of the length are between 0 and the digest size > > of > > the underlying hash function." > > That's better, but still not crystal clear. In what scenarios does > the salt provide additional security? If the attacker gets to see > signatures but not the corresponding messages?
The salt is needed in the "tight" proof for RSA-PSS, that in the end assures that if RSA-PSS is broken RSA is broken. As far as I understand it is not tied to some concrete attack. The paper above ties that salt size with the total number of signatures generated, and PKCS#1 transforms this to a "security level" question, by tying the salt size to length of the selected hash. regards, Nikos _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs